Hucliluo

**Name of the Vulnerable Software and Affected Versions** Future-Depth Institutional Management Website (IMS) version 1.0 **Description** The issue allows attackers to execute arbitrary commands via the `ad` parameter to "/admin area/login transfer.php" API endpoint. This enables attackers to potentially access and manipulate sensitive data. **Recommendations** For Future-Depth Institutional Management Website (IMS) version 1.0, consider restricting access to the "/admin area/login transfer.php" API endpoint until a patch is available. As a temporary workaround, avoid using the `ad` parameter in the affected API endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Future-Depth Institutional Management Website (IMS) version 1.0 **Description** The issue allows unauthorized attackers to directly upload malicious files to the courseimg directory. This is a result of a file upload vulnerability in the software. **Recommendations** For Future-Depth Institutional Management Website (IMS) version 1.0, consider restricting access to the courseimg directory to prevent unauthorized file uploads until a patch is available. As a temporary workaround, disabling the file upload feature can help minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** MonikaBrzica scm (affected versions not specified) **Description** A critical issue has been found in MonikaBrzica scm, affecting some unknown functionality of the file upis u bazu.php. The manipulation of the `email`, `lozinka`, `ime`, or `id` arguments leads to SQL injection. The attack can be launched remotely. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Pingkon HMS-PHP (affected versions not specified) **Description** A critical vulnerability has been found in Pingkon HMS-PHP, affecting an unknown function of the file /admin/admin.php of the component Data Pump Metadata. The manipulation of the `uname/pass` argument leads to sql injection. It is possible to launch the attack remotely. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.